Android Upgrades Open A Backdoor To Malware, Researchers Show

Updating software is to malware as flossing is to gingivitis: a basic practice meant to minimize the risk of infection. But a team of researchers has found that for
Google's Android platform, operating system upgrades can also serve as a stealthy new method for malware to sneak its tricks past Android's security measures.

In a paper they plan to present at the IEEE Security and Privacy symposium in May, a team of researchers from the Indiana University and
Microsoft Research outline a devious new backdoor in Android's malware protections: It begins when a user is tricked into installing an innocuous-seeming application that asks for few or no permissions to access the phone's data or use its features. But when the user upgrades to the latest version of Android, the malware app silently upgrades itself, too, gaining new access to the user's sensitive information or control of other phone functions to access the user's voicemails, login credentials, text messages, call logs, and more, depending on the version of Android.

"The attacker takes advantage of the upgrade process to also elevate their malware's privileges on the phone," says Xiaofeng Wang, who leads Indiana University's Security Systems Lab. "What we've found is a very important and pervasive vulnerability in Android, and it exists on every Android device."

The researchers call the bugs they discovered "Pileup" flaws (short for Privileged Escalation Through Updating) and say they've found six distinct vulnerabilities in how Google's operating system handles OS upgrades, affecting at least 3,500 different customized versions of Android installed on handsets sold by LG, Samsung and
HTC as well as Google's own

official version of the software. They were able to upload apps to both Google's official Play app store and Amazon's app platform capable of exploiting those Pileup flaws.

I've reached out to Google for a response to the researchers' work, and I'll update this post when I hear back from the company.

Beyond merely gaining access to the user's data, the researchers write that their Pileup attacks could also in some cases substitute fraudulent apps for ones already installed on the phone, "contaminate" browser data to redirect browsing or plant fake bookmarks, or even block the installation of new apps.

Here's a video they made, showing how their attack can be used to hijack the default browser on an Android phone to take the user to a site that executes malicious javascript on the phone, potential stealing login credentials for the user's Google account.

The researchers, of course, aren't suggesting that users stop upgrading Android devices. But they also write that another update from Google to patch the flaw won't solve the issue, due ironically to the infrequency with which users upgrade their Android devices; The researchers point out that only 2.5% of Android users are running the latest version of the software known as KitKat, released in October of last year.

Instead, they've developed and uploaded to Google Play their own free security tool they call SecUP, or Secure Update Scanner, that scans apps for hidden permissions lying in wait for the next OS upgrade. They also recommend that Android users run antivirus software, though they warn that those commercial apps likely aren't tuned to detect Pileup-style attacks. "Even if Google comes up with a patch, it's very difficult to fix this because Android is so fragmented," says Wang. "Instead, our app checks for other apps on your system designed to do these nasty things."

Read the researchers' full paper below, or a summary of their work they've put online here.